Added support for argon2, more secure than sha256 with salt.

Kept backwards compat with existing stored keys.
2024-12-22 13:34:04 +03:00 · 2023-07-23 02:16:51 +02:00 · 2023-07-23 02:16:51 +02:00 · 8137373c40
commit 8137373c40
parent 833f8a0a3e
2 changed files with 14 additions and 4 deletions
--- a/server/requirements.txt
+++ b/server/requirements.txt
@ -50,3 +50,4 @@ art
 dnspython
 aiohttp
 uvloop
+argon2-cffi
--- a/server/src/uds/core/managers/crypto.py
+++ b/server/src/uds/core/managers/crypto.py
@ -41,6 +41,8 @@ import logging
 import typing
 import secrets

+# For password secrets
+from argon2 import PasswordHasher

 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@ -263,10 +265,8 @@ class CryptoManager(metaclass=singleton.Singleton):
        if isinstance(value, str):
            value = value.encode()

-        salt = self.salt(8)  # 8 bytes = 16 chars
-        value = salt.encode() + value
-
-        return '{SHA256SALT}' + salt + str(hashlib.sha3_256(value).hexdigest())
+        # Argon2
+        return '{ARGON2}' + PasswordHasher().hash(value.decode())

    def checkHash(self, value: typing.Union[str, bytes], hashValue: str) -> bool:
        if isinstance(value, str):
@ -287,6 +287,15 @@ class CryptoManager(metaclass=singleton.Singleton):
                hashlib.sha3_256(value).hexdigest(), hashValue[28:]
            )

+        # Argon2
+        if hashValue[:8] == '{ARGON2}':
+            ph = PasswordHasher()
+            try:
+                ph.verify(hashValue[8:], value.decode())
+                return True
+            except Exception:
+                return False  # Verify will raise an exception if not valid
+
        # Old sha1
        return secrets.compare_digest(
            hashValue, str(hashlib.sha1(value).hexdigest())  # nosec: Old compatibility SHA1, not used anymore but need to be supported